NGFW Internal Scan
This Playbook is part of the Core - Investigation and Response Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook investigates a scan where the source is an internal IP address.
An attacker might initiate an internal scan for discovery, lateral movement and more.
Attacker's Goals:
An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.
Investigative Actions:
- Endpoint Investigation Plan playbook
Response Actions
The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute:
- Auto endpoint isolation
- Manual block indicators
- Manual file quarantine
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Get endpoint details - Generic
- Containment Plan
- Account Enrichment - Generic v2.1
- Endpoint Investigation Plan
Integrations#
This playbook does not use any integrations.
Scripts#
This playbook does not use any scripts.
Commands#
- closeInvestigation
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| scannerIP | The scanner IP address. | alert.hostip | Optional |
| AutoCloseAlert | Whether to close the alert automatically or manually, after an analyst's review. | false | Optional |
| AutoContainment | Whether to execute automatically or manually the containment plan tasks: * Block indicators * Quarantine file * Disable user | Optional | |
| HostAutoContainment | Whether to execute endpoint isolation automatically or manually. | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
